Report: Secret Service investigates possible network breach of Sears

No evidence yet of actual breach, retailer says.

The US Secret Service is investigating a possible attack on the corporate network of Sears Holdings Corp. after high-profile hacks of Target, Neiman Marcus, and possibly other retailers have compromised tens of millions of credit cards, Bloomberg News reported.

Further Reading

"There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach," a Sears spokesman said in a statement, according to a report published Friday. "We have found no information based on our review of our systems to date indicating a breach."

Neither the Bloomberg report nor the statement from Sears said when the investigation began or provided other details. KrebsOnSecurity reporter Brian Krebs, who originally broke news of the Target breach, cautioned that there's reason to believe there may be no breach at Sears.

"Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weakness in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year," Krebs wrote in an article published shortly after the Bloomberg report.

The Secret Service is already investigating the breaches of Target and Neiman Marcus.

Target has said that data for about 40 million customer credit cards was siphoned out of its point-of-sale terminals late last year. Home addresses, shopping preferences, and other personal information for about 70 million customers has also been compromised. Attackers reportedly gained access to Target's corporate network using authentication credentials stolen from a heating, ventilation, and air-conditioning subcontractor that has done work for a variety of other large retailers.

Promoted Comments

"The United States Secret Service is a federal law enforcement agency with headquarters in Washington, D.C., and more than 150 offices throughout the United States and abroad. The Secret Service was established in 1865, solely to suppress the counterfeiting of U.S. currency. Today, the agency is mandated by Congress to carry out dual missions: protection of national and visiting foreign leaders, and criminal investigations."

What jurisdiction does the Secret Service have over data breaches like this? Can anyone cite to a statute?

You're aware the USSS was originally formed to police financial stuff right? Originally it was just anti-counterfeiting, then expanded to other crimes of national import as well as intelligence both foreign and domestic. It was the FBI, CIA, NSA, and ATF all rolled into one before any of those existed. The body guarding came much later, growing out of the counterintelligence wing of the agency.

It's still the agency in charge of financial fraud cases, which encompasses hacking, identity theft and (as it was originally tasked) counterfeiting.

"The United States Secret Service is a federal law enforcement agency with headquarters in Washington, D.C., and more than 150 offices throughout the United States and abroad. The Secret Service was established in 1865, solely to suppress the counterfeiting of U.S. currency. Today, the agency is mandated by Congress to carry out dual missions: protection of national and visiting foreign leaders, and criminal investigations."

What jurisdiction does the Secret Service have over data breaches like this? Can anyone cite to a statute?

You're aware the USSS was originally formed to police financial stuff right? Originally it was just anti-counterfeiting, then expanded to other crimes of national import as well as intelligence both foreign and domestic. It was the FBI, CIA, NSA, and ATF all rolled into one before any of those existed. The body guarding came much later, growing out of the counterintelligence wing of the agency.

It's still the agency in charge of financial fraud cases, which encompasses hacking, identity theft and (as it was originally tasked) counterfeiting.

Thanx I didn't know any of that. I wasn't saying they should not investigate -- I was only asking what legal authority they have. Apparently they have quite a lot of legal authority.

I used to work on a team that supported the systems at Sears, in a call center. We'd often get consulted by the equivalent team at the retail store which was in the same parking lot. While this was many years ago, I have a friend who still works there. All I can say is, from what he says, is having no evidence wouldn't be surprising even if it was a 12yo script kiddie who penetrated the system.

"There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach," a Sears spokesman said in a statement...

What jurisdiction does the Secret Service have over data breaches like this? Can anyone cite to a statute?

You're aware the USSS was originally formed to police financial stuff right? Originally it was just anti-counterfeiting, then expanded to other crimes of national import as well as intelligence both foreign and domestic. It was the FBI, CIA, NSA, and ATF all rolled into one before any of those existed. The body guarding came much later, growing out of the counterintelligence wing of the agency.

It's still the agency in charge of financial fraud cases, which encompasses hacking, identity theft and (as it was originally tasked) counterfeiting.

Thanx I didn't know any of that. I wasn't saying they should not investigate -- I was only asking what legal authority they have. Apparently they have quite a lot of legal authority.

Basically, many of the initial cyber crime cases were financial in nature, so they wound up going to the Secret Service, which built up expertise in investigating such cases. As the beat expanded, they wound up getting it specifically to their charter, because of that experience.

What jurisdiction does the Secret Service have over data breaches like this? Can anyone cite to a statute?

You're aware the USSS was originally formed to police financial stuff right? Originally it was just anti-counterfeiting, then expanded to other crimes of national import as well as intelligence both foreign and domestic. It was the FBI, CIA, NSA, and ATF all rolled into one before any of those existed. The body guarding came much later, growing out of the counterintelligence wing of the agency.

It's still the agency in charge of financial fraud cases, which encompasses hacking, identity theft and (as it was originally tasked) counterfeiting.

Thanx I didn't know any of that. I wasn't saying they should not investigate -- I was only asking what legal authority they have. Apparently they have quite a lot of legal authority.

Yeah, me too. So how does Secret Service differ from FBI then? Seems like this is something FBI would do. Do they overlap then?

What jurisdiction does the Secret Service have over data breaches like this? Can anyone cite to a statute?

You're aware the USSS was originally formed to police financial stuff right? Originally it was just anti-counterfeiting, then expanded to other crimes of national import as well as intelligence both foreign and domestic. It was the FBI, CIA, NSA, and ATF all rolled into one before any of those existed. The body guarding came much later, growing out of the counterintelligence wing of the agency.

It's still the agency in charge of financial fraud cases, which encompasses hacking, identity theft and (as it was originally tasked) counterfeiting.

Thanx I didn't know any of that. I wasn't saying they should not investigate -- I was only asking what legal authority they have. Apparently they have quite a lot of legal authority.

Yeah, me too. So how does Secret Service differ from FBI then? Seems like this is something FBI would do. Do they overlap then?

Yeah the NSA listens, The FBI snoops, The DEA snoops, The CIA snoops, The SS snoops. YOU have no secrets, but they sure do!

Sears is a company where the CEO forced IT to build a giant internal social network, forced all employees to use it, and then signed up himself under a pseudonym to spy on the employees. He makes individual departments essentially duke it out for budgets, apparently completely forgetting that a corporation is not a gladiatorial arena and should not be run like one.

Eddie Lampert (and I'm sure he'll read this at some point, as you can probably deduct from the above he's a bit of a vanity whore and loves Googling himself), you're one stupid son of a bitch.

OK, so card numbers, which have been used for fraud, and were originally used at both Target and Sears, but the question is which retailer is where the number was stolen from.

I understand about the false positives. We already know that Target was an attack vector. Were there any cards used at Sears, and NOT used at Target, which are showing fraud attempts ? IMHO, that should be the litmus test before digging into Sears.

Sears is a company where the CEO forced IT to build a giant internal social network, forced all employees to use it, and then signed up himself under a pseudonym to spy on the employees. He makes individual departments essentially duke it out for budgets, apparently completely forgetting that a corporation is not a gladiatorial arena and should not be run like one.

Eddie Lampert (and I'm sure he'll read this at some point, as you can probably deduct from the above he's a bit of a vanity whore and loves Googling himself), you're one stupid son of a bitch.

The local Sears and KMarts in the San Francisco Bay Area all look like they are sets in a post apocalyptic film.

I guess the local Regional Managers aren't very good at social networking

Sears is a company where the CEO forced IT to build a giant internal social network, forced all employees to use it, and then signed up himself under a pseudonym to spy on the employees. He makes individual departments essentially duke it out for budgets, apparently completely forgetting that a corporation is not a gladiatorial arena and should not be run like one.

Eddie Lampert (and I'm sure he'll read this at some point, as you can probably deduct from the above he's a bit of a vanity whore and loves Googling himself), you're one stupid son of a bitch.

The local Sears and KMarts in the San Francisco Bay Area all look like they are sets in a post apocalyptic film.

I guess the local Regional Managers aren't very good at social networking

"The United States Secret Service is a federal law enforcement agency with headquarters in Washington, D.C., and more than 150 offices throughout the United States and abroad. The Secret Service was established in 1865, solely to suppress the counterfeiting of U.S. currency. Today, the agency is mandated by Congress to carry out dual missions: protection of national and visiting foreign leaders, and criminal investigations."

Edit: It's their raison d'etre.

I suppose the USSS provides security for visiting heads of state, but usually the DSS provide security for foreign diplomats.

This is going to be a huge disappointment if the 29 people that shopped at Sears Holdings based stores were hit.

I worked there, it was some good people and good years, but man, its just been ravaged lately. Their website is abysmal in every way possible. Its the only website I've went to that makes me tingle with hatred for it.